Create an Indestructible Shared PC

Contents

Need to put a PC in a public place? A free Microsoft tool makes it easy to lock down.

Schools, libraries, and other organizations often want to make computers available in public places. These can become tempting targets for hackers. Even well-intentioned users can wreak havoc by deleting important files or accidentally installing malware.

Microsoft's free Shared Computer Toolkit lets you configure a PC that can be used to search the Internet, look up resources, and run approved programs; it also stops users from making permanent system changes, running arbitrary programs, or introducing malware. Administrators on domain-based PCs have long been able to do this; the toolkit offers a similar level for any PC. You don't need an IT degreethe kit leads an administrator through the steps of locking down a system.

We evaluated a recent release candidate of the toolkit, which can be downloaded at www.microsoft.com/sharedaccess. The toolkit requires Windows XP Service Pack 2 or Windows XP Tablet PC Edition 2005, and you'll probably need to download the oddly named User Profile Hive Cleanup Service. Start by installing the toolkit while logged on to an account that will become the toolkit administrator account. It will open a Getting Started applet that lists the steps you'll follow to lock down the computer.

The first step is usually to adjust the disk's partitioning to make room for Windows Disk Protection. WDP requires a region of unallocated disk space that is located just beyond the boot partition and whose size is at least 10 percent of the boot partition's size but no less than 1 GB. Windows doesn't provide a nondestructive partition management utility; the toolkit suggests using PartitionMagic 8 or Terabyte Unlimited's BootIt. If you're configuring a new computer, you can adjust the partition size during installation of Windows XP. When active, WDP discards all changes to the boot partition when the computer is restarted, so you won't turn it on until the other configuration steps are completed.

The second step pulls together a number of security settings and suggests you enable them all. One key option removes the toolkit administrator account from the Welcome screenusers won't know the account name, much less the password. As the administrator, you'll log in by pressing Ctrl-Alt-Del twice at the Welcome screen, then entering the account name and password in the dialog box. Among other restrictions, the toolkit can prevent other users from shutting down or restarting the computer, block Windows from caching Passport or other credentials, and disallow unapproved user profiles. The Test Your Password button checks to be sure you haven't used a blank password or a weak password like your username.

Next you'll create a public account to be shared by all walk-up users. (You can make multiple accounts by repeating the next few steps.) The instructions advise making it a Limited account, but there are also instructions for dealing with an Administrative account, in case a critical program won't run under a Limited one. For the setup, you should set a password for this account, or else Windows will boot to it on each restart, forcing you to log off and then into the toolkit administrator account. Next, the wizard asks you to log on to this new account and configure it completely, including setting appearance, configuring the printer, enabling the Quick Launch toolbar (if desired), and setting up programs such as Microsoft Office that perform user-specific initialization. Be sure to install add-ons like Adobe Reader and Flash. Now log off the public account and back into the toolkit administrator account.

In the wizard, the User Restrictions applet offers a range of limitations from mild to draconian. The Lock This Profile check box tells the system not to save Internet history and other user changes. You can force a specific home page and limit which drives are displayed in My Computer in order to block the user from bringing in software on diskette or USB key. You can configure this profile to log off after a specified amount of time, or of idle time. And you can set it to restart at log-off; this is significant when WDP is enabled, because restarting discards all changes to the Windows partition.

Checking the Recommended Restrictions box really locks down the system. Start menu restrictions eliminate many icons such as Control Panel and My Network Places, force the classic Start menu style, and disable right-clicking on Start menu items. General XP restrictions eliminate the Recycle Bin (so one user can't paw through another's trash), block access to such tools as the Command Prompt, Registry Editor, and Microsoft Management Console, and prevent activating Task Manager to kill specific processes. Internet Explorer restrictions disable right-clicking within IE, block access to Internet Options, and suppress certain toolbar buttons. Office restrictions disable macros and VBA and prevent other inappropriate changes. The Software Restriction Policy blocks all programs not found in the Windows or Program Files folder and prevents use of tools that could bypass the toolkit's security.

You can go even further. You can block Internet access for the account, prevent IE or Windows Messenger from running, or disable Microsoft Office. And you can disconnect this account from the All Users account, so the only items on the Start menu are those specifically installed for this user.

Next the wizard asks you to test the account and make sure it's not so restricted as to be unusable. You'll find it a novel experience. Most of the right-click menus are disabled. You can't launch a Command Prompt or enter a program name in the Run dialog. You can't change the wallpaper or set the clock. All you can do is run the programs listed in the Start menu or log off. Do run all the programs to be sure they work.

Now, log back on as administrator; you'll have to press Ctrl-Alt-Del twice. Turn on Windows Disk Protection. When WDP is active, it takes control of all programmatic requests to read or write data to the Windows drive. The write requests are trapped and stored without changing the drive itself. For read requests, WDP reads from the physical drive, then applies any modifications based on those stored write requests.Continue reading...

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service